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Abstract 

Given a system with n > 3t + 1 processes, where t is the tolerated number of faulty ones, 
we present a fast asynchronous Byzantine agreement protocol that can reach agreement in 0(t) 
expected running time. This improves the 0 (n 2 ) expected running time of Abraham, Dolev, 
and Halpern |[Q. Furthermore, if n = (3 + e)t for any e > 0, our protocol can reach agreement 
in 0(l/e) expected running time. This improves the result of Feldman and Micali Q (with 
constant expected running time when n > 4t). 


1. Introduction 


The Byzantine Agreement (BA) problem, first introduced by Pease, Shostak, and Lamport ll 111 121 . is a 
fundamental problem in distributed computing. Given n processes, t of which being faulty, the problem 
consists for all correct processes to agree on one of the input values. The faulty processes might deviate 
from the algorithm assigned to them arbitrarily, e.g., to prevent correct processes from agreeing on one 
of their input values. 

A lot of work has been devoted to the problem in the last three decades. Despite the effort, the 
Asynchronous Byzantine Agreement (ABA) problem, where the communication between processes can 
take an arbitrary amount of time, is still not very well understood. Certain results are however known. 
For example, it is known that the problem is impossible to solve if n ^ 3f j9[[T2j]. Any ABA protocol 
assuming n > it is called optimally resilient. According to the seminal result of 0, any deterministic 
ABA protocol must have some non-terminating execution. 

Faced with the impossibility result 0, a natural direction of research is to design efficient randomized 
Byzantine agreement protocol. This direction was started with the work of Ben-or 0, Rabin lfT3l . and 
Bracha 0. Remarkably, Canetti and Rabin 0 proposed an ABA protocol with constant expected running 
time and overwhelming probability to terminate. With a randomized ABA protocol the best that can be 
achieved is to have every execution terminate with probability one. Such protocols are said to be almost- 
surely terminating IE- 

Several almost-surely terminating ABA protocols were proposed. In 1983, Ben-Or 0 proposed an 
almost-surely terminating ABA protocol for n > 5 1, which runs in exponential expected time. One year 
later, Bracha 0 presented an almost-surely terminating ABA, which also runs in exponential expected 
time, but with optimal resilience, i.e., for n > ‘it. In 1988, Feldman and Micali Q presented an almost- 
surely terminating ABA protocol with constant expected time, assuming however n > At. Twenty years 
later, Abraham, Dolev, and Halpern 0 presented an almost-surely terminating optimally resilient ABA 
protocol with polynomial efficiency (the expected running time is 0(n 2 )). In some sense, state-of-the-art 
results for almost-surely terminating ABA are 0 and 0: optimally resilience with polynomial efficiency 
on the one hand, or constant expected time, assuming however n > At, on the other hand. 

We present in this paper a new almost-surely terminating ABA protocol that achieves a significant 
progress with respect to the state-of-the-art. For n > it, our protocol completes in ()(t) expected running 
time. If n > (3 + e)t where e is an arbitrary positive constant, our protocol has 0(l/e) expected running 
time. Table E aggregates these results in the context of related work. 

Most ABA protocols follow the idea of Ben-or 0, Rabin |[T3l . and Bracha 0, namely a reduction of 
the ABA problem to the implementation of a common coin (namely, a source of common randomness 
with certain properties). Specially, the reduction of Bracha 0 is optimally resilient and runs in constant 
expected time. Thus, designing efficient ABA protocols could be solved by designing efficient common 


Reference 

Resilience 

Expected Running Time 

Ben-Or (1983) 0 

n > 5f 

0( 2 n ) 

Bracha (1984) 0 

n> it 

0(2 n ) 

Feldman, Micali (1988) 0 

n > At 

0(1 ) 

Abraham, Dolev, Halpern (2008) 0 

n > it 

0(n 2 ) 

This paper 

n > it 

0(f) 

This paper 

n > (3 + e)t, (e > 0) 

0(l/e) 


Table 1. Results for almost-surely terminating ABA problem 
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coins. The protocol of Feldman and Micali Q includes a method to implement a common coin by making 
use of a verifiable secret sharing (VSS) scheme. (For a complete description of the reduction from VSS 
to ABA, see (5|.) Canetti and Rabin []6] have an implementation of asynchronous verifiable secret sharing 
(AVSS) with constant expected running time but overwhelming probability to terminate (the resulting 
ABA protocol is thus not almost-surely terminating). Recently, King and Saia ITOl introduced a novel 
technique for implementing common coin via a spectral method. 

This paper follows the reduction from (some form of) AVSS to ABA. We first recall the standard 
AVSS scheme 0. Roughly speaking, an AVSS scheme consists of a sharing phase and a reconstruction 
phase, involving a process designated as the dealer which has a value (usually called secret) to share. 
In the sharing phase, the dealer shares its secret among all processes and each process locally verifies 
that a unique secret is being considered. In the reconstruction phase, the processes reconstruct the secret 
from the shares. The correctness of AVSS lies on two properties: (1) if the dealer is correct, then all 
correct processes will reconstruct the secret of the dealer, and (2) if the dealer is faulty, then all correct 
processes will reconstruct the same value that is fixed in the sharing phase. 

We introduce in this paper a variant of AVSS called IVSS (standing for inferable (asynchronous) 
verifiable secret sharing). Our IVSS scheme has a weaker correctness property than AVSS, but provides 
strong fault-detection ability. Specifically, IVSS requires that if the correctness property of AVSS does 
not hold in an invocation of some round, then correct processes will ignore (or infer) at least t(n — 3t) 
faulty pairs from that round on. Here, by a faulty pair, we mean a pair of processes of which at least one 
is faulty. In our IVSS protocol, secrets are shared through symmetric bivariate polynomials. If processes 
reconstruct different secrets in the protocol, the symmetry of polynomials can be used to infer faulty 
pairs. 

There are existing secret sharing protocols with fault-detection capacity, e.g., shunning verifiable secret 
sharing in |2]] and secret sharing with dispute control in |[Q. These protocols are composed of several 
levels of secret sharing subprotocols, while our protocol is very simple with only one-level secret sharing 
subprotocol. In all previous approaches, the Byzantine agreement algorithm proceeds round by round and, 
once a round is over, the correct processes forget it and never look back to it. In fact, if a correct process 
could look back at the history of invocations of the secret sharing protocol, it may infer more failures. 
We implement this history-based checking mechanism in a certification subprotocol. This subprotocol 
is invoked when the Byzantine agreement protocol is initialized and then runs concurrently with all 
invocations of our IVSS protocol. The main technique for inferring faults in our protocol is also different 
from mm. Our fault-detection mechanism is based on symmetric polynomials which enable our protocol 
to infer a linear number of faults when secret sharing does not succeed, while protocols in |I]|2l can 
generally infer only one fault. 

The rest of this paper is organized as follows. In Section [2] we recall the asynchronous computing 
model and the Byzantine agreement problem. In Section [3} we state the properties of our IVSS scheme 
and describe an algorithm that implements it. In Section |4j we show how to obtain our fast ABA protocol 
from our IVSS scheme. For space limitations, some algorithms and proofs are given in the appendices. 

2. Model and Definitions 

The Model. We consider an asynchronous computing model in the classical sense, e.g., (BO- We consider 
a complete network of n processes with identifiers {1,2,..., n}. The number n is always strictly greater 
than 3 1. The communication channels are private, i.e. no one can read or alter messages transmitted 
along it. Messages sent on a channel may have arbitrary (but finite) delay. A f-adversary can control at 
most t processes during the Byzantine agreement protocol. Once a process is controlled, it hands all its 
data over to the adversary and follows its instructions. We call all these controlled processes as faulty 
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ones and other uncontrolled processes as correct ones. Note that the adversary cannot access messages 
transmitted between correct processes due to private communication channels. 

We measure the running time of a protocol by the maximal expected number of communication rounds 
it takes to reach agreement |[6l [T0l . Consider a virtual ‘global clock’ measuring time in the network. This 
clock cannot be accessed by the processes. Let the delay of a message transmission denote the time 
elapsed from its sending to its reception. The period of a finite execution of a protocol is the longest 
delay of a message transmission during this execution. Let the duration of a finite execution denote the 
total time measured by the global clock divided by the period of this execution. The expected running 
time of a protocol, is the maximum over all inputs and applicable adversaries, of the average of the 
duration of executions of the protocol over the random inputs of the processes. In addition, each process 
divides its local time into rounds and execute a protocol round by round. The time of each round is less 
than or equal to a period of the execution of a protocol. The expected running time of a protocol can be 
computed by the expected rounds in execution. 

Asynchronous Byzantine Agreement. 

Definition 1 (ABA). Let n be any asynchronous protocol in which each process has a binary input. We 
say that 7 r is an almost-surely terminating, f-resilient ABA protocol if the following properties hold for 
every t-adversary and every input: 

• Termination : With probability one, every correct process terminates and outputs a value. 

• Correctness : All correct processes which have terminated have the same outputs. Moreover, if all 
correct processes have the same input, denoted v, then all correct processes output v. 

Asynchronous Broadcast: A-Cast. We will often make use of this asynchronous broadcast primitive, 
introduced by Bracha |[4] (for n > 3t). We follow the terminology in j5|. For completeness, the 
implementation is provided in Appendix HI 

Definition 2 (A-Cast). Let 7r be any asynchronous protocol initiated by a designated process (the sender) 
which has an input value u to be broadcast. We say that 7r is a f-resilient A-Cast protocol if the following 
properties hold for every t-adversary: 

• Termination: 

1. If the sender is correct and all correct processes participate in 7r, then every correct process 
eventually completes it. 

2. If some correct process completes 7 r, then every correct process eventually completes it. 

• Correctness: 

1. All correct processes which complete 7r receive the same value v. 

2. If the sender is correct, then v = u. 

3. Inferable Verifiable Secret Sharing 

In this section, we first state the properties of our IVSS scheme. Then we provide an implementation 
of IVSS. We prove that our implementation satisfies all the IVSS properties and finally we analyze its 
fault-detection. 

3.1. Definition 

Definition 3 (Faulty Pair). An unordered pair {i. j} of processes is called a faulty pair if either i or j 
is faulty. 
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Our IVSS protocol consists of two subprotocols: S ( sharing protocol) and 12 ( reconstruction protocol). 
These two arc invoked separately but 12 is never called unless S is completed, and 12 may not be called 
even if S is completed. If the correct processes do not reconstruct a same secret in 12, then a set of 
faulty pairs will be inferred. We assume that each IVSS invocation is unique for every correct process. 
This can be easily guaranteed, e.g. by associating with each IVSS invocation the identifier of the dealer 
and an invocation counter. 

Definition 4 (IVSS). Let (5, 7Z) be any pair of sharing-reconstruction protocol with a dealer which has 
a secret s to share. We say that (S, 12) is an IVSS protocol if the following properties (called IVSS 
properties ) hold. 

• Termination: 

1. If the dealer is correct and all correct processes keep participating in protocol S. then every correct 
process eventually completes protocol S. 

2. If some correct process completes protocol S , then every correct process that keeps participating 
in protocol S eventually completes protocol S. 

3. If some correct process completes protocol S and all correct processes begin protocol 12 and keep 
participating in protocol 12 , then every correct process eventually completes protocol 12. 

4. If some correct process completes protocol 12. then every correct process that keeps participating 
in protocol 12 eventually completes protocol 12. 

• Correctness: Once a correct process has completed protocol <S, then there is a unique value v such 
that the following holds. 

1. Either every correct process upon completing protocol 12 outputs v, or a set of new faulty pairs is 
eventually inferred by correct processes. (In our implementation, the size of the set of new faulty 
pairs is at least t(n — 3 1).) 

2. If the dealer is correct, then v = s. 

• Secrecy : If the dealer is correct and no correct process invokes protocol 12. then the faulty processes 
have no information about secret s. 

Note that, a correct process is said to keep participating in a protocol if it follows the protocol until 
completion. Another note is that we assume all secrets, random values, and polynomials to be over the 
integer ring. 

3.2. Implementation 

In our ABA protocol, the processes invoke a set of secret sharing instances in each round (stalling 
from round 1). Every process records its invocations in each round r and A-Casts these invocations in 
the next round r + 1 to let other processes know about its behavior in round r. We introduce a new 
component, which we call the certification protocol, to take care of the IVSS invocations from past rounds 
and infer faulty pairs. The certification protocol is invoked before round 1 and runs concurrently with 
all invocations of IVSS. Hence our IVSS protocol should be aware of the particular round it is involved 
in, and should make progress based on the data from past rounds. Therefore, we use the notion IVSSfr] 
with round number r as a parameter. In this section, we give a high-level description of our IVSS[r] and 
our certification protocols. 

In the sharing phase, we assume that the dealer with secret s selects a random degree-t symmetric 
bivariate polynomial f such that /(0,0) = s. Let f, denote the degree-f polynomial such that fi(y) = 
f(i , y) for y <G {1...., n } . The dealer shares secret s by sending polynomial f , to process i. By polynomial 
interpolation, if the dealer is correct, then any t + 1 correct processes could reconstruct /. Since / is 
a symmetric polynomial, we should have ffij) = Each process k that receives //. sends //.(?') 
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Sharing protocol IVSS[r]-5: 


1. If the dealer wants to share secret s in round r, it selects a random degree-f symmetric bivariate 
polynomial f(x , y) such that /(0, 0) = s. Let f % denote the degree-f polynomial such that fi(y) = 
f(i, y) for y £ {1,... , n}. The dealer sends /, to process i. 

2. If process k receives //. from the dealer, then k sends //,(() to process i. (Note that j). is supposed 
to be fk if the dealer is correct.) 

3. If process k receives f). from the dealer and receives ffk) from process i, and fk(i) = /,;(/>:). then 
k A-Casts “equal: (k,i)”. (Note that ffk) is supposed to be ffik) if i is coiTect.) 

4. If there is a set A4 of n — t processes such that the following conditions are satisfied for the dealer: 

a) for every i,j £ M., the dealer receives “equal: (i.j)”; 

b) for every i,j,p, q £ M, the dealer receives “checked,. : p, q, { i,j }” from p, 
then the dealer A-Casts M.. (J\A is called candidate set.) 

5. If process k receives A4 from the dealer and the following conditions are satisfied: 

a) for every i,j £ M, k receives “equal: ( i,j)”\ 

b) for every i,j,p, q £ M, k receives “checked,. : p, q, {i,j}” from p, 
then k completes the sharing protocol. 

Reconstruction protocol IVSS|r|-72: 

1. If process k £ M., then k A-Casts polynomial /).. 

2. If there is a set ISk (standing for Interpolation Set) of n — 2t processes such that 

a) k receives /, from each process i £ ISk', (Note that /) is supposed to be if i is correct.) 

b) there is a symmetric bivariate degree-f polynomial / such that f(i, j) = ffij) for all i £ IS k 
and j £ M, 

then k sets v = /(0,0), A-Casts “ready to complete” and adds this instance of IVSS[r] to 
CorelnvocationsJ?. 

3. If k completes Step |2] and receives “ready to complete” from n — t processes, then k outputs v 
and completes the reconstruction protocol. 

Certification protocol. 

1. Process k initializes empty sets FPk and Corelnvocationsg. 

2. Process k sets Corelnvocationsg = 0 and A-Casts Corelnvocationsg 1 in the beginning of round 
r (r ^ 1). 

3. (Infer faulty pairs ) If k rcc e i ve s Corel r ivo c at ions J, from process l, then for any instance I in 
Corelnvocationsg, if k receives /, and fj from process i and j (i,j £ M. of I) in Step [I] of 
IVSS-72 such that f, (j) f fj(i ), then k adds unordered pair {i . j } to FPk- 

4. If k receives Corelnvocationsg from process l, then for any invocation I in Corelnvocationsg, k 
completes the sharing protocol of I and Step Q] of IVSS[r]-72 of I. (Note that k does this because 
different process might complete different instances of IVSS[r] in round r.) 

5. If the following conditions are satisfied for process k (check in order a, b, c): 

a) k receives Corelnvocationsg., from process l for all r' < r; 

b) for every IVSS invocation I in U Corelnvocationsg.,, if i ( j resp.) is included in the candidate 

r'<r 

set A4 of I then k should receive the polynomial A-Cast by i ( j resp.) in Step Q] of IVSS-72 
of I; 

c ) {hi} 0 CP/, (Here FI\ has been updated after checking condition b, see Step [3]), 

then k A-Casts “checked r -,k,l,{i,j}”. (Intuitively, this means k has checked that {i,j} is not a 
faulty pair according to the invocation history of l before round r.) 










to process i. When k receives f t (k) from process i, k checks whether ffk) = fk(i)- This equality 
may not be true since the dealer or process i could be faulty. If the equality is correct, then k A-Casts 
“equal: ( k , i)”. When the dealer receives “equal: i” from every process i in a set AT that contains n — t 
processes, and checks that AT does not contains faulty pairs according to the IVSS invocations in the 
past rounds (see the description of the certification protocol below), the dealer A-Casts AT. Intuitively, 
Ad is a candidate set that processes could trust to reconstruct the secret. If process k receives set Ad 
from the dealer and checks the correctness of Ad as the dealer, then k completes the sharing protocol. 

In the reconstruction phase, processes in Ad A-Cast their polynomials received from the dealer. When 
process k receives polynomials from n — 2t processes and these polynomials can be interpolated to a 
degree-f symmetric bivariate polynomial /, k considers /(0,0) as the dealer’s secret. If / is not equal 
to the polynomial / selected by the dealer in the sharing phase, we can show that a set of faulty pairs 
will be inferred. In order to get every secret sharing instance checked by the certification protocol in the 
next round, it is important that, when a correct process completes a secret sharing invocation, at least 
t + 1 correct processes take this invocation as its history invocation. Therefore, after getting polynomial 
/, k first A-Casts a message “ready to complete” and records the invocation. Then k completes the 
reconstruction phase if k receives n — t “ready to complete”. 

Our certification protocol handles the history of invocations. Process k uses set FP k to track the 
faulty pairs it inferred. In each round r, k records all invocations of IVSS[r] and adds them into a set 
called Corelnvocations^. Then, at the beginning of round r + 1, k will A-Cast CorelnvoationsJ? to 
let other processes know its action in round r. Intuitively, this means that every correct process should 
know what the other processes have done in the past rounds. If a process k receives /, from i and fj 
from j but ffj ) f fjij) for some IVSS instance, then k knows that at least one of i, j is faulty and 
adds unordered pair { 2 , j} into FP/.. The word “inferable” in IVSS means that correct pairs could infer 
faulty pairs during the execution. If k receives CorelnvoationsJ. from process l, then it checks for each 
invocation I in CorelnvoationsJ, that every correct process in AT of I should A-Cast its polynomial in 
the beginning of the reconstruction phase, and no pair of correct processes should be considered as a 
faulty pair according to these invocations. If k has checked that an unordered pair {?'. j) is not a faulty 
pair according to the invocation history of l before round r, then k will A-Cast “checked,. : I. { 

In the sharing protocol, a correct process accepts a candidate set AT only if every pair of processes in 
AT are checked by every process in AT. 

3.3. Proof of IVSS properties 

Lemma 1. If i,j,k are correct processes, then unordered pair {i, j } will not be added to FP^. 

Proof: The pair { /', j) will be added to FF% only if there is an invocation I of IVSS[r] such that 
i, j € AT and the polynomials f, and fj A-Casted by i and j in Step [j] of IVSS|r|-W satisfy /, (j) f 
However, if i,j € AT then i and^j must have A-Casted “equal: ( i,j )” and “equal: (j, i)” and hence 
must have checked that /,(j) = fj(i) in IVSS[r]-5. Thus {i,j} will not be added to FP}.. □ 

Lemma 2. In round r {r ^ 1), if i, j, k, and l are correct processes, then k eventually A-Cast “checked,. : 
k,l,{i,j}’\ 

Proof: Since {i,j} is not in FPf, by Lemma [T] we only need to check conditions a and b of Step 
[5] in the certification protocol. 

Condition a: Since l is correct, l will A-Cast Corelnvocations^, in the beginning of round r. Then k 
will receive these Corelnvocations^. by the correctness property of A-Cast. 

Condition b: Suppose that i is in the set AT of an IVSS[r'] invocation I in U CorelnvocationsJ.,. 

r> <r 

Since l adds I into its Coreinvocations, l must have completed the sharing protocol of I. Then i must 
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have received polynomial /,; from the dealer in invocation I. According to Step 0] of the certification 
protocol, i will complete Step Q] of IVSS[r']-77 of I. So k will receive the polynomial A-Casted by i in 
Step |T| of IVSS[r]-77 of I. 

Taking above together, k will A-Cast “checked,. : k, l, {i,j}”. □ 

Lemma 3. Let A” be a subset of {1,. .., n} and |JV| ^ t +1. Let {/,}, e Ar be a set of degree-t univariate 
polynomials. If /, (j ) = fj(i) for all i.j £ N, then there is a unique symmetric bivariate degree-f 
polynomial / such that f(i,j) = f%(j ) for all i.j £ N. 


Proof: Select any subset Nq of N such that |Aq| = t + 1. Let 


fo{x,y)= 


II (x-k) n (y~k) 

k£No,k^i k£No,k^j 

n — k) n (j — k) 

WoveNo k J o ^ \J 0 V k ^ J 


fiti)- 


By Lagrange interpolation, f 0 (i,j) = /,(j) for all i,j £ N 0 . Since f t (j) = f 0 is a symmetric 

bivariate degree-f polynomial by definition. Now we prove that = fi(j ) for all i, j £ N. 

Consider any arbitrary i in N. We have f,(j) = fj(i) = /o(j, i) for all j £ Nq. Since /o is symmetric, 
we have ffjj) = f 0 (i,j ) for all j £ N 0 . Since |A 0 | = t + 1, we have ffy) = f 0 (i,y) for any y. 
Especially, we have fi(j) = fo{i,j) for all j £ N. Hence, /o satisfies fo{i,j) = The uniqueness 

follows easily from Lagrange interpolation. □ 


Theorem 1. Assume n > 3t. Then the pair (IVSS[r]-5, IVSSfr]-W) satisfies all the IVSS properties. 


Proof: We check below the IVSS properties. 

Termination (If. Suppose the dealer is correct and all correct processes keep participating in IVSS[r]- 
S. Every correct process will receive correct messages from the dealer. Then for each pair ( i,j ) of 
correct processes, i will A-Cast “equal: (i, j)”. By Lemma |3 for correct processes i,j, k , l, “checked,. : 
k,l, {i, j}” will be A-Cast by k. Thus the set of correct processes will satisfy the conditions in Step [4| of 
IVSS[r]-<S. Therefore, a correct dealer will A-Cast a set Ai with respect to Step 0] of IVSS|r|-N. Since 
all messages that the dealer received in Step 0] are sent using A-Cast, it follows that all correct processes 
will receive M and check that M. satisfies the conditions in Step 0] of IVSS[r]-<S. Hence, every correct 
process will complete IVSS[r]-<S. 

Termination (2): If a correct process completes IVSSfr|-<S, then, since all messages required in Step 
0] of IVSSfr |-iS are sent by A-Casting, every correct process that keeps participating in IVSS[r]-<S will 
receive these messages and complete IVSS[r]-5. 

Termination (3): If some correct process completes protocol IVSS[r|-<S and all correct processes begin 
IVSSfr|-W and keep participating, we show that every correct process will complete IVSSfr]-7\f. Let C 
be the set of correct processes in M.. Since \M\ ^ n — t, then \C\ ^ n — 2 1. Let /, be the polynomial i 
( i £ C) received from the dealer. Since C C M., we have /,(j) = ffi) for all i,j £ C. By Lemma 0J 
there is a symmetric bivariate degree-t polynomial / such that f(i,j) = (j) for all i. j £ C. Thus C 
satisfies the conditions in Step [2] of IVSSfr]-W. It follows that every correct process will complete Step 
0]of IVSS[r]-7*!. and A-Casts “ready to complete”. Therefore, every correct process will receive at least 
n — t “ready to complete” messages and complete IVSS[r]-7^.. 

Termination (4): If a correct process completes IVSSfr|-7\t, then, since all messages required for 
completing IVSS[r]-7£ are sent by A-Casting, every correct process that keeps participating in IVSSfr]- 
TZ will receive these messages and complete IVSS[r]-7f!.. 

We now turn to the correctness properties. 

Suppose that a correct process has completed the sharing protocol. By Lemma 0J there is a symmetric 
bivariate degree-t polynomial / such that f(i,j ) = (j) for all i.j £ C where C is the set of all correct 
processes in M.. We denote /(0,0) as v. 
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Correctness (1): If some correct process k completes IVSS[r]-7£ and outputs a value different from v, 
then ISk must be different from C. And there must be some process * E I Sj~ and some process j E C such 
that f ft (j), otherwise ISk also interpolates / and output /(0,0). Since f(i,j) = f(j,i ) = 

we have fi(j) which means some faulty pair will be inferred (we will analysis how many pairs 

could be inferred in the following section). 

Correctness (2): If the dealer is correct, then f t (j ) = f(i,j) for all i,j E C where / is the polynomial 
selected by the dealer. Thus f = f and v = /(0,0) = /(0,0) = s. 

Secrecy. By polynomial interpolation, the combined view of the t faulty processes is not enough to 
compute the initial random degree-f polynomial selected by the dealer. As long as no correct process 
invokes IVSS[r]-7£, the shared secret is independent of the information obtained by the faulty processes. 
Hence, the faulty processes have no information of the shared secret. 

So all the IVSS properties hold for IVSS[r], The theorem follows. □ 

3.4. Fault-Detection Analysis 

We introduce the following convention for the analysis of Fault-Detection in the certification protocol. 
Consider an instance R of IVSSfr |-'77 in Coreinvocations* for a correct process i. If faulty process l in 
Ad of R does not send its polynomial in Step 1 of R, then in round r' (greater than r), no correct process 
will allow l to appear in Ad of IVSSfr'] (see condition (b) of Step [5] in IVSS[r']-5 and Step 0 of the 
certification protocol). This is the best case for correct processes. Therefore without loss of generality, 
we use the following convention. 

Convention. In any instance of IVSS[r]-TZ and any round r, every faulty process in the corresponding 
set Ad eventually A-Casts a polynomial (can be arbitrary) according to Step [Tj of IVSS[r]-TZ. 

Consider an arbitrary instance of IVSS[r]. With the above convention, let f) be the polynomial 
eventually A-Casted by process i € Ad in Step 1 of IVSS[r]-7E We say that a set S' C Ad of at 
least n — 2t processes is an interpolation set if there is a symmetric bivariate degree-f polynomial g such 
that g(i. j) = fi(j) for all i E S. Two interpolation sets S and S' arc different, if the corresponding 
bivariate polynomial are different, which implies \S Cl S'\ f t by Lemma [3j 

For an instance I of IVSS[r], recall that by Lemma [3] the polynomials that processes in C received 
from the dealer actually define a unique symmetric bivariate degree-f polynomial, and therefore define a 
unique secret s. We say that s is the secret defined by I. 

Definition 5. Let IE be the event that at least one of the correct processes output a value s' in the 
reconstruction phase of I such that s' f s. 

If IE never occurs, then we could get a common coin with high probability (we will show this later in 
Section |4l). Thus it is significant to analyze the situation when IE occurs. 

Lemma 4. IE could only occur in some instance I of IVSS[r] when n ^ 4f. 

Proof: If E occurs, then there are at least two different interpolation sets. One of these is the set C of 
correct processes in Ad, the other one is the interpolation set IS causing some correct process to output a 
different secret. Since \C\ ^ n— 2f, \IS\ ^ n—2t,\CnIS\ ^ f, we have |(7U/5| = |(7|-|-|/5| — |(7n/5| ^ 
2n — 5f. If n > 4f, then \C U IS\ > n — t. This is impossible since \C U J5| ^ |Ad| = n — t. Therefore, 
E could only occur when n ^ 4f. □ 

Lemma 5. If E occurs in some instance I of IVSS[r], then at least t(n — 3f) faulty pairs will be inferred 
by every correct process due to I. 

Proof: When E occurs, at least one correct process completes instance I. According to Step [3] of 
IVSS[r]-7^., there are at least n—2t correct processes that have A-Casted “ready to complete”. According 


to Step [2] of IVSS[r|-7F these correct processes must have added I into the set Coreinvocations. In the 
next round r + 1, the candidate set Ad of any instance of IVSS[r + 1] will contain at least one of these 
n — 2t processes since Ad = n — t and n — 2f > t. Thus I will be checked by every correct process in 
the certification protocol. Since the faulty pairs are inferred from the polynomials A-Casted by processes 
in Ad of I, all correct processes will infer the same faulty pairs. So we only need to prove the lemma 
for correct process k. 

Let {Si, $2 • ■ ■ ,S r } be all maximal interpolation sets with respect to the inclusion relation of sets. 
Since IE occurs, there must be at least two maximal interpolation sets, one of which implies the secret 
s defined by I and another of which implies the secret s' ^ s, i.e. r ^ 2. Suppose i,j £ 1,... , r and 
i / j. By the assumption of maximal interpolation sets, |S, n Sj | A t. Let So be the interpolation set in 
{Si, S 2 ..., S r } with the smallest cardinal number. Since S, U Sj ^ |Ad| = n — t and |S, n Sj ^ t, 
then | S ? ; | + \Sj\ = |S, U Sj\ + |S* (T Sj\ ^ n. Therefore |So| ^ ^ §. Also from the definition of 

the interpolation set, we have | So | A n — 2t. 

Suppose the corresponding symmetric bivariate polynomial for So is /°. Let f- be the polynomial 
with fiU) = Since /° is symmetric, /°(j) = ) = fj(i) for every j £ S 0 . 

Recall that fj is the polynomial eventually A-Casted by process j £ Ad in Step 1 of IVSS[r|-72. of 
instance I. For any i £ Ad but i 0 So, we have /, / jf because otherwise So U i is an interpolation set 
bigger than So, which contradicts the fact that So is maximal. Since /j f /P, /j — /P has at most t zero 
points. So there are at least |So| — t processes j in So such that /,; (j ) / /P(j), i.e. fi(j) 7 ^ fj(i ) (since 
/P(j) = fj(i) for j £ So) which leads to the faulty pair Therefore, for each i £ Ad but i ^ So, k 

will infer at least |So| — t faulty pairs. In total, k could infer at least (|So| — t){n — t — |So|) faulty pairs. 
Since n — 2t < |So| ^ §, then (|So| — t)(n — t — |So|) ^ (n — 3t)t. The lemma is proved. □ 

In the lemma above, we show that a set of faulty pairs will eventually be inferred if IE occurs in an 
instance of IVSS[r]. However, “eventually” is not enough to improve running time. In the next lemma, 
we will show that the faulty pairs inferred from instance of IVSS[r] will not appear in candidate set Ad 
of IVSS[?’ + 1] even though these faulty pairs might be inferred after the invocation of IVSS[r + 1]. 

Lemma 6. If E occurs in some instance F of IVSS[r], and {i. j ) is eventually inferred as faulty pairs 
by the correct processes due to F, then i and j could not appear simultaneously in the set Ad of any 
instance of IVSS[r'] with r' > r. 

Proof: Since E occurs, there must be a correct process (say k) that completes instance F. Then, by 
Step[3]of IVSS[r]-7F k must have received “ready to complete” from n—t processes. According to Step 
Hof IVSS[r]-7F these n — t processes must have added instance F into Core Invocations*. Then there 
are at least n — 21 correct processes (denoted by S) that have added instance F into Corelnvocations*. r . 

Now consider round r' > r. In any instance F’ of IVSS[r'], set Ad, A-Casted by the dealer, contains 
at least one correct process (denoted by l) from S since |Ad| ^ n — t and |£| ^ n — 2t ^ t + 1. If i and 
j are both in the set Ad of F\ then every correct process k' in Ad must A-Cast “checked,.', A;', l, {i,j}” 
according to Step [5] of IVSS[r']-5. By Step [5] of our certification protocol, k' must have received the 
corresponding polynomials of i and j A-Cast in Step [Tj of IVSS | /• / 1-'7F. However, this would make k! 
add {i,j} into FP^ and not A-Cast “checked,' : k',l 7 {i,j}”. This is a contradiction. Therefore, i and 
j could not appear simultaneously in candidate set Ad of any instance of IVSS[r'] with r' > r. □ 

Lemma 7. If n = 3f + 5, then there are at most F + I rounds where E occurs. 

Proof: Suppose E occurs in round n,r2, • • • and denote the faulty pairs that could be inferred 
for these rounds by Si, S 2 , ■ ■ ■, S c . By Lemma [6] S', is different from Sj for 1 A Lj A c and i f j. 
According to Lemma [5] there will be at least c-{n — 3t)t different faulty pairs inferred. Since each faulty 
process can only appear in n faulty pairs, we have t ■ n ^ c • (n — 3t)t. Thus, c ^ ( n %t)t = t + !• Cl 
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4. From IVSS to Asynchronous Byzantine Agreement 

Using our IVSS[r] protocol, we now design an ABA protocol (following the reduction scheme of 
Canetti and Rabin (6J). The first step is to get a common coin. In the common coin protocol of (6j, every 
process shares n random secrets using n different invocations of the AVSS protocol of @. Following 
Figure 5-9 of |5| and using our IVSS[r] protocol, we obtain an Inferable Common Coin (ICC) protocol 
which always terminates. 

Definition 6 (ICC). Let ir be any protocol where every process has a random input and a binary output. 
We say that n is a terminating, /-resilient Inferable Common Coin protocol if the following properties 
(called ICC properties ) hold for every /-adversary. 

• Termination. 

1. If all correct processes keep participating in n, then every correct process eventually completes. 

2. If some correct process completes 7r, then every other correct process that keeps participating in 
7T eventually completes. 

• Correctness. For every invocation, either 

- for each v € {0,1}, with probability at least 1/4, every correct process upon completing 7r 
outputs v; or 

- a set of faulty pairs is eventually inferred by correct processes. 

Lemma 8. For n > 3/ and each round r, there is a terminating, /-resilient Inferable Common Coin 
protocol. 

Proof: The protocol implementing ICC by using our IVSS[r] subprotocol is a slight variant of figure 
5-9 of 0. We call this protocol ICC[r]. The proof is in Appendix HT1 □ 

The second step is to use the common coin protocol to get an ABA protocol. In |[6j, Canetti and Rabin 
use their common coin protocol (that terminates with probability 1 — e) to get an ABA protocol (that 
terminates with probability 1 — e). We replace the common coin protocol of (6| by ICC[r] to obtain our 
almost-surely terminating ABA protocol. 

Theorem 2 (Byzantine Agreement). If n = 3/ + <5, then there is an almost-surely terminating ABA 
protocol with expected running time 0(f). 

Proof: By Lemma |7J we know there are at most j- + 1 rounds in which the adversary could break 
the correctness of secret sharing. In the rest of the rounds, all correct processes reconstruct the same 
value and this value is equal to the secret of the dealer if the dealer is correct, with which we can have a 
common coin that is sufficient for Byzantine agreement with constant expected running time. Therefore, 
the expected running time of our ABA protocol is 0(f). we give the details in Appendix ITm □ 

If we take <5 = 1 in the above theorem, we have the following corollary, which improves the result of 
Abraham, Dolev, and Halpern (TJ. 

Corollary 1. If n = 3/ + 1, then there is an almost-surely terminating, optimally resilient ABA protocol 
with expected running time 0{t). 

If we take 5 = et where e > 0, we have the following corollary, which improves the result of Feldman 
and Micali Q. 

Corollary 2. If n = (3 + e)t where e > 0, then there is an almost-surely terminating ABA protocol with 
expected running time 0{\je). 
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Appendix I. 
A-Cast Protocol 


Definition 7 (A-Cast). Let n be any asynchronous protocol initiated by a designated process (the sender) 
which has an input value u to be broadcast. We say that ir is a i-resilient A-Cast protocol if the following 
properties hold for every A ad vers ary: 

• Termination : 

1. If the sender is correct and all correct processes participate in it, then every correct process 
eventually completes 7r. 

2. If some correct process completes n, then every correct process eventually completes 7r. 

• Correctness : 

1. All correct processes which complete it receive the same value v. 

2. If the sender is correct, then v = u. 


A-Cast Protocol. 

1. The sender with input u sends “msg: u” to all processes. 

2. i waits until receiving “msg: u”. Then i sends “echo: u” to all processes. 

3. i waits until receiving n — t “echo: «/” that agree on the value of v!. Then i sends “ready: v!” to all 
processes. 

4. i waits until receiving t + 1 “ready: u'” that agree on the value of v!. Then i sends “ready: v!” to 
all processes. 

5. i waits until receiving 2f+l “ready: u'” that agree on the value of u' . Then i outputs v! and completes 
the protocol. 


Appendix II. 

Inferable Common Coin Protocol 

Definition 8 (ICC). Let ir be any protocol where every process has a random input and a binary output. 
We say that n is a terminating, f-resilient Inferable Common Coin protocol if the following properties 
(called ICC properties ) hold for every f-adversary. 

• Termination. 

1. If all correct processes keep participating in 7r, then every correct process eventually completes. 

2. If some correct process completes it, then every other correct process that keeps participating in 
7 r eventually completes. 

• Correctness. For every invocation, either 

- for each v € {0,1}, with probability at least 1/4, every correct process upon completing 7r 
outputs v, or 

- a set of faulty pairs is eventually inferred by correct processes. 

Our implementation (called ICC[r]) of ICC follows 0. Roughly speaking, the protocol consists of 
two phases. First, every process shares n random secrets using our IVSS|r]-<5 protocol. The ith secret 
shared by each process is assigned to process i. Once a process i completes t + 1 sharing protocols of 
secrets assigned to it, i A-Casts the identity of the dealers of these secrets. After this, by the correctness 
property of IVSS[r], a fixed value (yet unknown) is attached to i. The second phase is to select a subset 
of processes (say H) and reconstruct the attached values of H. Different processes may choose different 
H to reconstruct secrets. However, if an instance of IVSS[r|-72 is invoked by a strict subset of correct 
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processes, then there is no guarantee of termination. Hence, in ICC[r] we require every process to A-Cast 
its H before completion, so that each process could try to reconstruct values with different H. 


ICC[r] protocol: code for process i 

1. Choose a random value x^j for all 1 ^ j ^ n and invoke IVSS|r ]-<S as a dealer for this value. Denote 
this execution by IVSS[r]-5(.x ) ; J ). 

2. Participate in IVSSM^Xj^) for every j, k £ {1,..., n}. 

3. Define a set 71- Add process j to % if all IVSS|r]-<S(x'jj) have been completed for all 1 ^ l ^ n. 
Wait until 1771 = t + 1, then assign Tj = 71 and A-Cast “attach T,; to i”. (we say that the secrets 
{xj t i\j £ T ,} are attached to process i.) 

4. Define a set A r . Add process j to Ai if the A-Cast “attach Tj to j” has been completed and Tj C %. 
Wait until \Aj\ = n — t, then assign Ai = Ai and A-cast “i accepts A”. 

5. Define a set Si. Add process j to 5, if “j accepts Af' is received from j and Ai. Wait until 
|5i| = n — t, then A-Cast “Reconstruct Enabled”. Let Si denote the current content of Si and Hi 
denote the current content of Aj. Then A-Cast (Hi, Si). 

6. Participates in IVSS[r]-77(xfcj) for every k £ Tj and j £ Ai. Let y^j be the corresponding output. 

7. Let u = |~0.87n~|. Every process j £ Ai is associated with a value, say Vj, which is computed as 
follows: Vj = (^2 keT . mod u. 

8. Wait until receiving ( Hj,Sj ) from j with Hj C A, and Sj C S, and the values associated with all 
processes in Hj are computed. Now if there exists a process k £ Hj such that i;/ i: = 0, then output 0. 
Otherwise output 1. 


We now state and prove the following lemmas which are slight variants of lemmas 5.28-5.31 presented 
in [0. 

Lemma 9. If some correct process completes ICC[r], then every other correct process that keeps 
participating in ICC[r] eventually completes. 

Proof: If a correct process i completes ICC[r] with respect to (Hj,Sj), then, since all messages 
are sent by A-Casting, every correct process that keeps participating in ICC[r] will receive at least t + 1 
(Hj, Sj ) as well. By the termination property (4) of IVSS[r], every correct process that keeps participating 
will also compute the values associated with all the processes in Hj and then complete the protocol. 

□ 

Lemma 10. If all correct processes keep participating in ICC[r], then all correct processes complete 
ICC[r] in constant time. 

Proof: First we show that every correct process will A-Cast “Reconstruct Enabled”. By termination 
property (1) of our IVSS[r] protocol, every correct process eventually completes WSS-SiXjj-) for every 
k £ {1,... ,n} and correct j. Since there are at least n — t correct processes, for each correct process 

i, % will eventually contain at least t + 1 (actually n — t) processes and thus i will eventually A-Cast 
“attach T l to i”. So eventually, correct process i will receive “attach Tj to j” from every correct process 

j. Now since every process k that is included in Tj will be eventually included in Ti (by termination 
property (2) of IVSS[r]), Tj C 71 will eventually hold. Therefore, every correct process j will eventually 
be included in A,. Thus for every correct process i, A, will eventually be of size n — t and hence i will 
A-Cast “i accepts A”. Following the same argument, S-, will be of size n — t and hence i will A-Cast 
“Reconstruct Enabled” and A-Cast (Hi, Si). 

We now show that all correct processes will complete ICC[ /• |. By the lemma above, we only need 
to show that at least one of the correct processes will complete ICC[r], Suppose by contradiction that 
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no correct process will complete ICC[r], Let j be a correct process. If i receives “attach Tj to j” 
from j and includes j in A,, then eventually every other correct process will do the same. Hence if i 
invokes IVSS[r]-7^(xfcj) for k £ Tj and j £ A,, then eventually every other correct process will also 
invoke IVSS[r]-72(xfcj). By termination property (3) of IVSS[r], all correct processes will complete this 
IVSSfr |-72(./:/ ; . y ). Therefore, the values associated with all processes in Hi will be computed. So i 
will complete the protocol, in contradiction with the assumption that no correct process will complete. 
Therefore, all correct processes will complete. 

In the certification protocol, each process need to check all the past invocations in past rounds. However, 
since every correct process does this in every round, it is equal to that each process in every round 
checks all the invocations in the previous round. Therefore, all “checked r ; k. I , {i,j}” could be finished 
in constant time for correct process i. j, k. 1. Thus all invocations of IVSS[r]-<S and IVSS[r ]-72 in ICC[r] 
complete in constant time. Since all A-Casts also complete in constant time, our ICC[r] protocol completes 
in constant time as well. □ 

Lemma 11. In ICC[r], once some correct process j receives “attach T, to i” from the A-Cast of i, a 
unique value vi is fixed such that 

1. Every correct process will associate ry with i or a set of faulty pairs will eventually be inferred by 
correct processes. 

2. Value vi is distributed uniformly over [0..... u — 1] and is independent of the values associated with 
the other processes. 

Proof: The correctness property of IVSS[r] ensures that for each h £ Tj there is a fixed value 
such that all correct processes will output yi-y in IVSSfr l-Alxj..,) or a set of faulty pairs will be inferred. 
Let vi = (^A-eT 1 Vk,i) mod u, then every correct process will associate with i except that event E 
occurs in some instances of IVSS[r], i.e., a set of faulty pairs will eventually be inferred by correct 
processes. 

It remains to show that vi is uniformly distributed over [0,..., u — 1], and is independent of the values 
associated with the other processes. A correct process stalls reconstructing the secrets attached to process 
i only after it completes the “attach T to i” A-Cast. So the set Tj is fixed before any correct process 
invokes IVSS[ r|-72(.x/. a ) for some process k. The secrecy property of IVSS[r] now ensures that, by the 
time the set Tj is fixed, the adversary view of the invocations of IVSS[r]-5(.Tfc j) where the dealers are 
correct is distributed independently of the shared values. Since Tj contains at least one correct process 
and every correct process’s shared secrets are uniformly distributed and mutually independent, the sum 
vi is uniformly and independently distributed over [0..... u — 1]. □ 

Lemma 12. Once a correct process A-Casts “Reconstruct Enabled”, there is a set M such that 

1. For every process j £ M, some correct process has received “attach Tj to j” from the A-Cast of j. 

2. If any correct process k receives (. Hj,Sj ) from j with Hj C Ak and Sj C Sk and the values 
associated with all processes in Hj are computed, then M C Hj. 

3. \M\ f f. 

Proof: Let i be the first correct process to A-Cast “Reconstruct Enabled”. Let M be the set of 
processes, k, for which k £ Ai for at least t + 1 processes l £ Si. We now show that all processes in M 
satisfy the properties of the lemma. 

It is clear that M C //,. Thus process i has received “attach Tj to j” for every j £ M. Since i is 
assumed to be correct, the first pail of the lemma is proved. 

We now prove the second part. First Sj contains n — t f 2f + 1 processes. Now if k' £ M then k! 
belongs to A; for at least t + 1 processes l £ Si. This ensures that there is at least one process l which 
belongs to Sj as well as Sj. Now l £ Sj implies that j has ensured that A; C Hj. Consequently, k' £ Hj. 
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It remains to show that \M\ ^ We use a counting argument for this purpose. Let h = H, |. We 
have h ^ n — t. Consider the h x n table A (relative to process i), where A/ /,. = one iff i has received 
“l accepts A” from l before A-Casting “Reconstruct Enabled” and k € Ai. Then M is the set of 
processes k such that the /cth column in A has at least t + 1 one entries. There are n — t one entries in 
each row of A; thus there are h(n — t ) one entries in A. 

Let m denote the minimum number of columns in A that contain at least t + 1 one entries. We show 
that m ^ |. Clearly, the worst distribution of one entries in A is letting m columns be all one entries and 
letting each of the remaining n — m columns have t one entries. This distribution requires the number 
of one entries to be no more than mh + (n — m)t. Thus, we must have: 


mh + (to — m)t ^ h(n — t ). 

This gives m ^ h(n^t)-nt . ^j nce ^ ^ n _ f and n ^ 3 ^ q_ i 5 we have 

(n — f) 2 — nt nt — 3t 2 n 

rn ^ -= n — 2t H-^ n — 2t ^ —. 

n-2t n-2t 3 


This shows that \M\ ^ 


n 

3 ' 


□ 


Lemma 13. For every invocation of ICC[r], either 

• For each v £ {0,1}, with probability at least 1/4, all correct processes output v; or 

• A set of faulty pairs will eventually be inferred by correct processes. 

Proof: If E occurs in any instance of IVSS[r] while executing ICC[r], then a set of faulty pairs 
will be inferred by correct processes. We prove the first part_of the lemma assuming E does not occur. 
Suppose correct process j completes ICC[r] with respect to (. , Sk). Since E does not occur, by Lemma 
[Til for every process i in A :J . there is a fixed value v t that is distributed uniformly and independently 
over [0,... , u — 1]. Now we consider two cases: 

• Let M be the set of processes discussed in the lemma above. Clearly if Vi = 0 for some i £ M, 

then all correct processes associate 0 with j and output 0. The probability that at least one process 
i £ M has Vi = 0 is 1 — (l — Since u = [0.87n], n ^ 4, and \M\ ^ ^ by Lemma fl2l 

we have 1 — (1 — ^ 1 — e~ 0 ' 29 ^ 0.25. This implies that all correct processes output 0 with 

probability at least 1/4. 

• If no process i has v r = 0 (and all correct process associate with z), then all correct processes 
output 1. The probability of this event is at least (l — ^ ) n ^ e -1 ' 15 ^ 0.25. 

□ 

Hence we have the following theorem. 

Theorem 3. Protocol ICC[r] is a terminating, /-resilient inferable common coin protocol. 

Proof: The termination properties follow from Lemma [TOl The correctness properties follow from 
Lemma [T3j □ 


Appendix III. 

From Common Coin to Byzantine Agreement 

First we recall a voting protocol called Vote from |5l which is a primitive required for the construction 
of our ABA protocol. Protocol Vote computes whether a detectable majority for some value among the 
(binary) inputs of all processes. The output of protocol Vote is a tuple with the following meanings. 

• For a £ {1,2}, output (a, 2) means that there is an overwhelming majority for a. 
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For (7 G {1,2}, output (cr, 1) means that there is a distinct majority for a. 
(_L, 0) means that there is no distinct majority. 


Vote protocol: code for process i with binary input Xi 

1. A-Cast “input, j, Xj”. 

2. Define a set Ai. Add (j. Xj) to Ai if “input, j, Xj” is received from the A-Cast of process j. 

3. Wait until \Ai\ = n — t. Then assign A, = A,. Set a* to the majority bit among {xj : (j, Xj) G A,} 
and A-Cast “vote, i, Ai, ai”. 

4. Define a set B,. Add (j. Aj, a ? ) to B, if “vot e,j,Aj,a/’ is received from the A-Cast of process j, 
Aj C Ai, and a } is the majority bit of Aj. 

5. Wait until \Bi\ = n — t. Then assign B, = Bj. Set bi to the majority bit among {aj : (j, Aj, aj) G B,} 
and A-cast “revote, i, Bi, bi”. 

6 . Define a set C{. Add ( j,Bj,bj ) to C t if “revote. }. Bj, bj” is received from the A-cast of process j, 
Bj C Bj, and bj is the majority bit of Bj. 

7. Wait until |Cj| ^ n — t. If all processes j G Bj had the same vote aj = a, then output (cr, 2) and 
terminate. Otherwise, if all processes j G C, have the same revote bj = cr, then output (a, 1) and 
terminate. Otherwise, output (_L,0) and complete the protocol. 


This voting protocol is identical to that of Q. The readers may refer to lemmas 5.32-5.35 |j5} for 
complete proofs. 

Lemma 14. All correct processes complete the voting protocol in constant time. 

Lemma 15. If all correct processes have input a, then all correct processes output (cr, 2). 

Lemma 16. If some correct process outputs (cr, 2), then every correct process outputs either (cr, 2) or 

(CT, 1). 

Lemma 17. If some correct process outputs (cr, 1), and no correct process outputs (cr, 2), then every 
correct process outputs either (cr, 1) or (_L,0). 

Given the voting protocol and our ICC[r] protocol, we can design our ABA protocol following |( 6 j]. 


ABA protocol: code for process i with binary input x t 

1. Set r = 0 and ui = x*. Start the certification protocol. 

2. Repeat until completing: (each iteration is consider as a round) 

a) Set r = r + 1. Set ( y r ,m r ) = Vote(ry). 

b) Invoke ICC[r] and wait until completion. Let c r be the output of ICC[r]. 

c) Consider the following cases: 

I. If m r = 2, set v r+ \ = y r and A-Cast “complete with v r ”. Participate in only one more 
instance of the voting protocol and only one more ICC[r] protocol. 

II. If m r = 1, set ty+i = y r . 

ITT. Otherwise, set ty+i = c r . 

d) Upon receiving t + 1 “complete with a” A-Casts for some value a, output cr and complete the 
protocol. 


We now state and prove the following lemmas which are slight valiants of lemmas 5.36-5.39 presented 
in 0 . 
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Lemma 18. If all correct processes are in rounds greater than or equal to r, then every correct process 
eventually completes ICC[r]. 

Proof: If some correct process is in a round greater than r, then it must have completed ICC[r], 
Then by termination property (2) of ICC[r], every correct process eventually completes ICC[r]. 

If all correct processes are in round r, Suppose that no correct process will complete ICC[r]. Since no 
correct process completes ICC[r], all correct processes keep participating. Then by termination property 
(1) of ICC[r], every correct process eventually completes. This is a contradiction. 

Therefore, the lemma is proved. □ 

Lemma 19. In our ABA protocol, if all correct processes have the same input cr, then all correct processes 
complete and output cr. 

Proof: If all correct processes have the same input cr, then by Lemma [15] every correct process will 
output (yi,mi) = (cr, 2) by the end of Step a. Therefore, every correct process A-Casts “complete with 
cr” in the first iteration. Therefore, every correct process will receive at least n — t “complete with cr” 
A-Casts, and at most t “complete with o'" A-Casts. Consequently, every correct process will output cr. 

□ 

Lemma 20. In our ABA protocol, if a correct process completes with output cr, then all correct processes 
will complete with output o. 

Proof: Let us first show that if a correct process A-Casts “complete with cr” for some value cr, then 
all correct processes will A-Cast “complete with a”. Let k be the first round when a correct process 
i A-Casts “complete with cr”. By Lemma [16] every correct process i has = o and either nik = 2 
or rrik = 1. Therefore, no correct process A-Casts “complete with o'" at iteration k. Furthermore, all 
correct processes invoke the voting protocol in round k + 1 with input o. Lemma [T5] now implies that, 
by the end of Step a of round k + 1, every correct process has (y/, : +i, m,/. + i) = (cr, 2). Thus, all correct 
processes A-Cast “complete with cr”, either at round k or at round k + 1. 

Now assume a correct process completes with output o. Thus, at least one correct process A-casted 
“complete with o". Consequently, all correct processes A-Cast “complete with o". Hence, every correct 
process will receive at least n — t “complete with cr” A-Casts and at most t “complete with o'” A-Casts. 
Therefore, every correct process will output cr. □ 

Lemma 21. If all correct processes have initiated and completed some round k, then with probability at 
least 1/4, all correct processes have the same value for Vk+i or a set of faulty pairs will eventually be 
inferred by correct processes. 

Proof: We have two cases here. If all correct processes execute Step III in round k, then all correct 
processes set their V}- + \ to the output of ICC[r]. According to the correctness property of ICC[r], the 
lemma is true. 

Otherwise, some correct process has set Vk+i = o for some o G {0,1}, either in Step I or Step II of 
round k. By Lemma [T71 no correct process will set its Vk+i to o'. According to the correctness property 
of ICC[r], with probability at least 1/4, all correct processes have output o or a set of faulty pairs will 
eventually be inferred by correct processes. □ 

Lemma 22. Let n = 3t + <5, then all correct processes complete the ABA protocol in expected running 
time 0(|). 

Proof: We first show that all correct processes complete protocol ABA within constant time after 
the first correct process initiates a “complete with o” A-Cast in Step III of the protocol. Assume the first 
correct process initiates a “complete with o" A-Cast in round k. Then all correct processes participate 
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in the voting and common coin protocols of all the rounds up to round k + 1. We have seen in the proof 
of Lemma 1201 that all correct processes will A-Cast “complete with a” in round k + 1. All these A-Casts 
complete in constant time. Then every correct process completes the ABA protocol after completing 
t +1 of these A-Casts. Consequently, once the first correct process A-Casts “complete with er”, the ABA 
protocol completes in constant time. 

Let the random variable t count the number of rounds until the first correct process A-Casts “complete 
with a”. We have 

Prob(r > k) = Prob(r / 1) • Prob(T / 2|r / 1)... • Prob(r / k\r / ln...nr/fc-l). 

If event E does not occur in round k, we have Prob(r / k\r / ln...nr / fc - 1) ^ |. Hence, by 
Lemma [7J Prob(r > k) ^ (I)* 1 3f/ ^ \ By a simple calculation, we have E(t) ^ y + 17. Therefore, 
the expected running time is 0(4). □ 

We have thus shown the following: 

Theorem 4. If n = 3t + 5, then there is an almost-surely terminating ABA protocol with expected 
running time 0(4). 
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